Protecting API - CORS & Proxy

Gabriel · 2024-09-08T00:33:29.347+00:00

Hi everyone!I'm trying to protect my API secret keys by proxying the calls through my backend (Xano). To add some extra layer of security, I thought about setting some CORS rules, to make sure the calls to Xano are from my Toddle fronte end. It doesnt make sense to protect this APIs with user authentication.I saw i'ts common to use the origin url. But when I make the API call from Toddle to other services, I'm not getting any the Origin URL in the header. Do you guys have any other recommendation? Does it really help security or anyone could pass a origin URL?Any opinion if it would it be worth it deactivating the Proxy in the API calls to be able to get origin url?

Gabriel
1 year ago
Hi everyone!
I'm trying to protect my API secret keys by proxying the calls through my backend (Xano). To add some extra layer of security, I thought about setting some CORS rules, to make sure the calls to Xano are from my Toddle fronte end. It doesnt make sense to protect this APIs with user authentication.

I saw i'ts common to use the origin url. But when I make the API call from Toddle to other services, I'm not getting any the Origin URL in the header. Do you guys have any other recommendation? Does it really help security or anyone could pass a origin URL?

Any opinion if it would it be worth it deactivating the Proxy in the API calls to be able to get origin url?
@Gabriel
Hi everyone!
I'm trying to protect my API secret keys by proxying the calls through my backend (Xano). To add some extra layer of security, I thought about setting some CORS rules, to make sure the calls to Xano are from my Toddle fronte end. It doesnt make sense to protect this APIs with user authentication.

I saw i'ts common to use the origin url. But when I make the API call from Toddle to other services, I'm not getting any the Origin URL in the header. Do you guys have any other recommendation? Does it really help security or anyone could pass a origin URL?

Any opinion if it would it be worth it deactivating the Proxy in the API calls to be able to get origin url?
Zachary
1 year ago
Check out Unkey
Max
1 year ago
Hi @Gabriel! I am not 100% sure I understand the question.

Let me repeat the scenario in my words to make sure we are talking about the same thing:

1. You have a cloud service that you want to call via API from a Toddle app
2. You don't do that directly, but you call Xano and Xano in turn calls this service to hide the API secret (good practice 👍🏻)
3. The scenario is working as expected, and you want to add CORS config to enhance security

If the above is correct, then this is a good setup. Now, if you want to add CORS config, you can just add your origins to the Xano config, without changing any logic in your API endpoints. Your endpoints won't see the origin and they don't have to. CORS is a browser feature. Meaning that the browser will check if this endpoint can be called and if not, will prevent the call. But the API can still be called from any server, any REST client. So you cannot prevent that people can call this endpoint.
The only way to protect it is to add some form of authentication. CORS only prevents some forms of attacks. You should still configure it. It reduces the attack surface.

Deactivating the Toddle API proxy has no benefits in your scenario. But if you disable it, you weaken the security a bit.
@Max
Hi @Gabriel! I am not 100% sure I understand the question.

Let me repeat the scenario in my words to make sure we are talking about the same thing:

1. You have a cloud service that you want to call via API from a Toddle app
2. You don't do that directly, but you call Xano and Xano in turn calls this service to hide the API secret (good practice 👍🏻)
3. The scenario is working as expected, and you want to add CORS config to enhance security

If the above is correct, then this is a good setup. Now, if you want to add CORS config, you can just add your origins to the Xano config, without changing any logic in your API endpoints. Your endpoints won't see the origin and they don't have to. CORS is a browser feature. Meaning that the browser will check if this endpoint can be called and if not, will prevent the call. But the API can still be called from any server, any REST client. So you cannot prevent that people can call this endpoint.
The only way to protect it is to add some form of authentication. CORS only prevents some forms of attacks. You should still configure it. It reduces the attack surface.

Deactivating the Toddle API proxy has no benefits in your scenario. But if you disable it, you weaken the security a bit.
Gabriel
1 year ago
Thanks @Max! We are definitely talking about the same thing.
All clear, setting up the allowed origin in Xano default CORS config, and keeping up the proxy.
💪1

Protecting API - CORS & Proxy

Gabriel

Zachary

Max

Gabriel